b'Federal Information Security Management Act: Fiscal Year 2013 Evaluation (IG-14-004,\nNovember 20, 2013)\n\nThe NASA Office of Inspector General (OIG) prepared a summary report in response to the\nfiscal year (FY) 2013 reporting requirements for the Federal Information Security Management\nAct (FISMA). In accordance with Office of Management and Budget requirements for this\nyear\xe2\x80\x99s review, we examined NASA\xe2\x80\x99s efforts in the following 11 areas:\n\n   \xef\x82\xb7   continuous monitoring management;\n   \xef\x82\xb7   configuration management;\n   \xef\x82\xb7   identity and access management;\n   \xef\x82\xb7   incident response and reporting;\n   \xef\x82\xb7   risk management;\n   \xef\x82\xb7   security training;\n   \xef\x82\xb7   plan of action and milestones;\n   \xef\x82\xb7   remote access management;\n   \xef\x82\xb7   contingency planning;\n   \xef\x82\xb7   contractor systems; and\n   \xef\x82\xb7   security capital planning.\n\nWe conducted our work using a sample of 8 Agency systems and 2 contractor systems. We also\nreviewed NASA\xe2\x80\x99s progress in implementing prior OIG recommendations.\n\nOverall, we found that NASA has established a program to address each of the 11 areas we\nexamined. However, we also found that the Agency needs to enhance its efforts with regard to\nconfiguration management, risk management, and contractor systems.\n\nBy implementing previous OIG recommendations and through related efforts, NASA is steadily\nworking to improve its overall information technology (IT) security posture. Nevertheless, IT\nsecurity remains a significant challenge for the Agency as it moves toward more effective IT\ngovernance and risk management practices. The OIG will continue to assess NASA\xe2\x80\x99s IT security\nprogram through focused audits of discrete IT issues as well as through our annual FISMA\nreview.\n\nThe OMB will provide a consolidated FISMA report to Congress that will include information from\nour report. However, as an \xe2\x80\x9cIntra-Agency Memorandum\xe2\x80\x9d our report is considered exempt from\nrelease under the Freedom of Information Act (FOIA); it also contains NASA Information\nTechnology/Internal Systems Data considered Sensitive But Unclassified and therefore not routinely\nreleased under FOIA. To submit a FOIA request, see the online guide.\n\nOMB\xe2\x80\x99s report is made available over the Internet (last year\xe2\x80\x99s, Fiscal Year 2012 Report to Congress\non the Implementation of The Federal Information Security Management Act of 2002, was released\nby OMB in March 2013).\n\x0c'